Appearance
Tracking β Auth expansion Phase 1 (Linear stand-in) β
Linear (team gravitas) is at the free-plan issue cap; this doc stands in for the issue set. One row per work item. Update the Status column in the same commit that completes the item. When Linear frees up, port rows to issues and link them here.
Spec: docs/superpowers/specs/2026-07-14-auth-expansion-design.mdPlan: docs/superpowers/plans/2026-07-14-auth-expansion-phase1.mdBranch: feature/auth-expansion-phase1
| # | Work item | Status |
|---|---|---|
| 1 | Migration A β Pending enum value | β Done |
| 2 | Migration B β open signup, is_member(), restrictive RLS, seed fix | β Done |
| 3 | Go libs/auth β RolePending + exclusion tests | β Done |
| 4 | Supabase config β GitHub/Apple blocks, email confirmations, env docs | β Done |
| 5 | Web core β LoginPolicy, environments, AuthService rework (no bypass) | β Done |
| 6 | Guards + routes β memberGuard/pendingGuard, role-aware callback | β Done |
| 7 | Login page β policy-driven buttons, password panel, MFA challenge | β Done |
| 8 | Signup page | β Done |
| 9 | Verify page | β Done |
| 10 | Reset-password pages (request + update) | β Done |
| 11 | Pending page | β Done |
| 12 | MFA scaffold β /settings/security | β Done |
| 13 | Dev-bypass removal + seed script rename + e2e support update | β Done |
| 14 | E2E β signupβverifyβpending, reset flow, mail helper | β Done |
| 15 | Full gate + review record + STATUS notes | β Done |
Known gaps (Phase 2) β
- MFA/AAL2 is enforced client-side only; the Go API and RLS do not check the
aalclaim β server-side enforcement lands with Phase 2 org policies.
Ops checklist (user-run, not code β mirrors spec Β§4.6) β
- [ ] Google consent screen Internal β External
- [ ] GitHub OAuth app (prod) + Dashboard provider config
- [ ] GitHub OAuth app (local) β
GITHUB_CLIENT_ID/SECRETin.env - [ ] SMTP provider on hosted Supabase
- [ ] Apple Developer account β credentials β flip
appleEnabled
Manual OAuth verification (needs real GITHUB_* / GOOGLE_* creds in .env) β
OAuth providers can't be driven headlessly, so the e2e suite covers only the password flows; verify these by hand once local OAuth creds exist:
- [ ] Google: /login β Continue with Google β account chooser (any domain) β lands /pending (new) or / (member)
- [ ] GitHub: /login β Continue with GitHub β authorize β lands /pending
- [ ] Same-email linking: GitHub sign-in with an email that already has a password account β single user row, two identities